You’ll also get implementation techniques as well as case studies featuring global services provision initiatives such as Alliance project. Practical, comprehensive, and up-to-date, this is a must-have reference for every administrator interested in conquering real-life security challenges through the effective use of Web Services

Introduction

Working within the Web Services/Web Development field, I was given a copy of the book to review. Prior to receiving this book, my initial thoughts based on the title was that the book would be more geared towards security for web sites and servers including what attacks are used and how to defend against them.

Intended Audience For This Book

This book is intended for software developers, architects, security professionals and network administrators who are responsible for deploying Web Services, who would require more information and knowledge on the security implications

Contents

The book starts with a biography of the authors and contributors followed by the content listing. A foreword discussing Web Services by Patrick J. Gannon President & CEO of OASIS Open is next followed by acknowledgements and a brief introduction.

Part 1 – Introduction

Chapter 1 -

Presenting Web Services

Defining Web Services

Introducing the XML Family

XML for Communication

An Example Web Services Scenario

Practical Tools
Chapter 2 -

Presenting Security

The Building Blocks of Security

Peeling back the Layers of Security
Chapter 3 -

New Challenges and New Threats

Web Services Security Challenges

Meeting the Challenges: New Technology For the Web

Web Services Security Threats

Part 2 – XML Security

Chapter 4 -

XML Signature

Making Sense of XML Signature

Uses of XML Signature for Web Services Security

Creating and Validating an XML Signature

Checklist
Chapter 5 -

XML Encryption

Introduction to XML Encryption

Encryption Scenarios

Encryption Steps

Decryption Steps

Code Examples

The Overlap with XML Signature

Checklist
Chapter 6 -

SAML

How SAML Enables “Portable trust”

Deploying SAML

Checklist
Chapter 7 -

XACML

Introduction to XACML

Rules in XACML

Checklist
Chapter 8 -

XML Key Management Specification (XKMS)

Public Key Infrastructure

XKMS and PKI

The XKMS Protocol

XML Key Information Service Specification

Advanced Protocol Features of XKMS 2.0

Part 3 – Security in SOAP: Presenting WS-Security

Chapter 9 -

WS-Security

Introduction to WS-Security

SAML and WS-Security

Checklist

Part 4 – Security in Web Services Framework

Chapter 10 -

.NET and passport

Ticket, Please: A Kerberos Overview

Passport

Web Services and .NET

Checklist
Chapter 11 -

The Liberty Alliance Project

What Does the Liberty Alliance Project Have To Do with Web Services?
Chapter 12 -

UDDI and Security

UDDI Overview

Securing Transaction with the UDDI Services

Checklist

Part 5 – Conclusion

Chapter 13 -

ebXML

ebXML

ebXML Security Overview

ebXML Registry Security

ebXML Message Security

Standards Overview

EbXML Standards Overview

Message Security Conclusions
Chapter 14 -

Legal Considerations

The Role of Contract Law and Evidence in Online Security

Applying the Law to Particular Technologies

Conclusions

Checklist
Appendix A -

Case Studies

Local Government Service Portal

Foreign Exchange Transactions

XML Gateway Rollout

Content Summary

Part 1: The first chapter is a great introductory for the book. It introduces and explains Web Services then it defines the XML family, not just as eXtensible Markup Language, but also the family of related technologies.

Second chapter introduces encryption, various types of encryption and types of uses from digital certificates to smartcards. The second part of this chapter briefly discusses the vulnerabilities of network, session, transport and application layers of the OSI model.

The third chapter solely focuses on the Web Services security on the application layer using HTTP and SOAP as the underlining technologies.

Part 2: This whole section covers technologies for XML security, which I’ve not actually had any experience on. There are informative chapters on the explanation of XML Signature and XML Encryption stating what it is and what it isn’t, description and deployment of SAML (Secure Assertion Markup Language), XACML, PKI and XKMS.

Part 3: WS-Security, what is it? What does it comprise of and when it was introduced? These questions are introduced in this section. Basic code examples in how it is used with SOAP, XML encryption and SAML.

Part 4: The first section of this part introduces Kerberos, the MS passport, briefly looks into .NET services, the threats against them and against .NET servers. This part is the most interesting for me, purely due to the fact that in my work we develop and deploy web services using asp and .NET technologies. A basic list of ways to protect your servers is given in this section, ranging from removing unused ISAPI filters in IIS to the MSSQL sa account password not being blank.

The sections following .NET introduces and describes the Liberty Alliance Project and finally UDDI, both of which I’ve not even heard of.

Part 5: This final section is a concluding part for the whole book, giving an overview into EBXML (electronic business XML), insight into the legal implications of online security and case studies.

Conclusion

Although most of the book doesn’t apply to what I do in my work, it is nevertheless a very informative and interesting read. The team at McGraw Hill has really put together an overall look on the security of web services, rather than a specific technology and touching on more services that I would ever need to use.

Very well written and in plain English. The book does have technical references that beginners might need further reading to understand. With examples and useful end of chapter checklists the book covers basic security technologies to securing Web Services.

Things I would put against this book is that it lacks practical techniques that could be implemented in a production environment and I found that the case studies were very brief and don’t go into great detail.

I would give Web Services Security 7/10.

Security Forums Discount

The publishers Mcgraw Hill have kindly setup a discount section for Security Forums' users. Discounts can be up to 30% off the RRP and postage is free on all orders over £20 in the UK & Central Europe.